Security Vulnerabilities
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-05-18
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVSS Score
5.4
EPSS Score
0.0
Published
2026-05-18
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVSS Score
8.8
EPSS Score
0.001
Published
2026-05-18
Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVSS Score
5.4
EPSS Score
0.001
Published
2026-05-18
Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.
CVSS Score
10.0
EPSS Score
0.001
Published
2026-05-18
HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-05-18
HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-05-18
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-05-18
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-05-18
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-05-18